Add explicit "Rosetta Flash JSONP abuse" protection · expressjs/express@f684a64 (original) (raw)
`@@ -14,11 +14,8 @@ describe('res', function(){
`
14
14
``
15
15
`request(app)
`
16
16
`.get('/?callback=something')
`
17
``
`-
.end(function(err, res){
`
18
``
`-
res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
`
19
``
`-
res.text.should.equal('typeof something === 'function' && something({"count":1});');
`
20
``
`-
done();
`
21
``
`-
})
`
``
17
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
18
`+
.expect(200, /something({"count":1});/, done);
`
22
19
`})
`
23
20
``
24
21
`it('should use first callback parameter with jsonp', function(done){
`
`@@ -29,12 +26,9 @@ describe('res', function(){
`
29
26
`});
`
30
27
``
31
28
`request(app)
`
32
``
`-
.get('/?callback=something&callback=somethingelse')
`
33
``
`-
.end(function(err, res){
`
34
``
`-
res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
`
35
``
`-
res.text.should.equal('typeof something === 'function' && something({"count":1});');
`
36
``
`-
done();
`
37
``
`-
})
`
``
29
`+
.get('/?callback=something&callback=somethingelse')
`
``
30
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
31
`+
.expect(200, /something({"count":1});/, done);
`
38
32
`})
`
39
33
``
40
34
`it('should ignore object callback parameter with jsonp', function(done){
`
`@@ -61,11 +55,8 @@ describe('res', function(){
`
61
55
``
62
56
`request(app)
`
63
57
`.get('/?clb=something')
`
64
``
`-
.end(function(err, res){
`
65
``
`-
res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
`
66
``
`-
res.text.should.equal('typeof something === 'function' && something({"count":1});');
`
67
``
`-
done();
`
68
``
`-
})
`
``
58
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
59
`+
.expect(200, /something({"count":1});/, done);
`
69
60
`})
`
70
61
``
71
62
`it('should allow []', function(done){
`
`@@ -77,11 +68,8 @@ describe('res', function(){
`
77
68
``
78
69
`request(app)
`
79
70
`.get('/?callback=callbacks[123]')
`
80
``
`-
.end(function(err, res){
`
81
``
`-
res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
`
82
``
`-
res.text.should.equal('typeof callbacks[123] === 'function' && callbacks123;');
`
83
``
`-
done();
`
84
``
`-
})
`
``
71
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
72
`+
.expect(200, /callbacks[123]({"count":1});/, done);
`
85
73
`})
`
86
74
``
87
75
`it('should disallow arbitrary js', function(done){
`
`@@ -93,11 +81,8 @@ describe('res', function(){
`
93
81
``
94
82
`request(app)
`
95
83
`.get('/?callback=foo;bar()')
`
96
``
`-
.end(function(err, res){
`
97
``
`-
res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
`
98
``
`-
res.text.should.equal('typeof foobar === 'function' && foobar({});');
`
99
``
`-
done();
`
100
``
`-
})
`
``
84
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
85
`+
.expect(200, /foobar({});/, done);
`
101
86
`})
`
102
87
``
103
88
`it('should escape utf whitespace', function(done){
`
`@@ -109,13 +94,24 @@ describe('res', function(){
`
109
94
``
110
95
`request(app)
`
111
96
`.get('/?callback=foo')
`
112
``
`-
.end(function(err, res){
`
113
``
`-
res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
`
114
``
`-
res.text.should.equal('typeof foo === 'function' && foo({"str":"\u2028 \u2029 woot"});');
`
115
``
`-
done();
`
116
``
`-
});
`
``
97
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
98
`+
.expect(200, /foo({"str":"\u2028 \u2029 woot"});/, done);
`
117
99
`});
`
118
100
``
``
101
`+
it('should include security header and prologue', function (done) {
`
``
102
`+
var app = express();
`
``
103
+
``
104
`+
app.use(function(req, res){
`
``
105
`+
res.jsonp({ count: 1 });
`
``
106
`+
});
`
``
107
+
``
108
`+
request(app)
`
``
109
`+
.get('/?callback=something')
`
``
110
`+
.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
111
`+
.expect('X-Content-Type-Options', 'nosniff')
`
``
112
`+
.expect(200, /^/**//, done);
`
``
113
`+
})
`
``
114
+
119
115
`it('should not override previous Content-Types with no callback', function(done){
`
120
116
`var app = express();
`
121
117
``
`@@ -127,7 +123,11 @@ describe('res', function(){
`
127
123
`request(app)
`
128
124
`.get('/')
`
129
125
`.expect('Content-Type', 'application/vnd.example+json; charset=utf-8')
`
130
``
`-
.expect(200, '{"hello":"world"}', done);
`
``
126
`+
.expect(200, '{"hello":"world"}', function (err, res) {
`
``
127
`+
if (err) return done(err);
`
``
128
`+
res.headers.should.not.have.property('x-content-type-options');
`
``
129
`+
done();
`
``
130
`+
});
`
131
131
`})
`
132
132
``
133
133
`it('should override previous Content-Types with callback', function(done){
`
`@@ -141,6 +141,7 @@ describe('res', function(){
`
141
141
`request(app)
`
142
142
`.get('/?callback=cb')
`
143
143
`.expect('Content-Type', 'text/javascript; charset=utf-8')
`
``
144
`+
.expect('X-Content-Type-Options', 'nosniff')
`
144
145
`.expect(200, /cb({"hello":"world"});$/, done);
`
145
146
`})
`
146
147
``